Do Fraud Prevention Deny Lists Cause More Problems Than They Solve?

Think deny lists are the best way to prevent ecommerce fraud?

If so, you’re definitely not alone. deny lists are a popular “hands-off” way for ecommerce merchants to try to protect themselves from fraud.

But the ecommerce merchant whose deny list blocked a loyal celebrity customer might have a different opinion.

That’s what happened to one of our clients before they decided to work with us. A celebrity customer who was making multiple high dollar purchases (upwards of $3,000 each) per week was deny listed because the transaction frequency and amounts “seemed” suspicious.

Like most celebrities, this customer was using an assistant’s name to protect their identity. And they weren’t too happy about being blocked.

The loss was significant:

• At a pace of $30,000 per week, that celebrity customer could have represented over a million dollars of sales in one year.
• Any possibility of the client providing a much-desired endorsement – and all the revenue that would have generated? Gone.
• The risk of negative exposure on social media if that celebrity complained was terrifyingly high – especially when you consider that 35% of average consumers say they would complain on social media after being declined for just one purchase.

The lesson our client learned? Fraud prevention deny list can backfire in epic fashion.

What are Fraud Prevention Deny Lists?

Merchants need to have a strategy to prevent chargebacks. Otherwise, they run the risk of carrying a high chargeback rate, which will result in high fees and monitoring programs with their credit card processors.

A fraud prevention deny list is a shortcut that many ecommerce merchants use to protect themselves from repetitive chargebacks and other types of criminal fraud. It is a list of information pertaining to the transaction, including

Typical Deny List Data Points:

Credit card details

Physical addresses

Customer names

IP addresses

Email addresses

Country information

When merchants are hit with chargebacks they often add the transaction information to a filter that is set to automatically deny any future transaction containing any of those data values.

It seems simple. But that’s the problem. It’s too simple. People move, they are multi-channel shoppers, their email addresses change – and deny lists cut too broad of a swath to even consider these finer points of consumer behavior.

Why Don’t Fraud Prevention Deny Lists Work?

At ClearSale, we talk about false declines and how detrimental they are to your ecommerce business. A false decline happens when a legitimate transaction is mistaken for fraud. The customer is subjected to embarrassment, humiliation, and unnecessary concern about their credit card security.

The result is a lost sale and an upset customer who may be among the 37% that will never shop with you again. Fraud prevention Deny Lists exponentially increase the likelihood of false declines exponentially and can risk your losing the lifetime value of a good customer.

“'Blacklists' block not only fraudsters but also many good customers.”

– David Fletcher, Senior Vice President at ClearSale

You Could Be Deny Listing a Legitimate Customer

In 2020, every other transaction in the financial industry was related to an account takeover (ATO). That represents a 20% increase in ATO from the previous year. It’s not surprising, then, that ATO fraud attempts increased by 282% from 2019 to 2020.

ATO fraud happens when a fraudster hacks into an online database and steals customer data. This data is then used by that fraudster (and others) to take over the identity of legitimate customers and even change or set up new bank/credit card accounts in the customer’s name.

Why is this important? It highlights the risk of putting customers on a fraud prevention deny list solely because of a chargeback and/or fraudulent transaction. By doing this, you will almost certainly be deny listing legitimate customers – who are as much victims as your business is.

Instead, merchants need to apply more sophisticated ways to evaluate transactions, such as up-to-date intelligence, behavioral biometrics, purchase history, and account velocity. This pinpoint approach prevents fraud without catching legitimate customers in the net.

Transaction Data Is Not Necessarily Fraudster-Specific

Not all order details from a fraudulent transaction are unique to the fraudster. For example, large apartment buildings, university dorms, shippers, and other multi-unit buildings share an address but include a large number of people. Blocking one of those addresses can prevent hundreds of legitimate customers from making transactions.

Along the same lines, IP addresses are dynamic. The IP address a user has today can belong to someone else five days from now. Adding an IP address to a deny list will almost certainly block a valid customer.

Fraudsters Can Get Around Fraud Prevention Deny List

Fraudsters constantly change the details they provide when placing orders online. Think about how easy it is to create a new email accounts today. Fraudsters have a treasure trove of stolen credit card details, proxy servers, and shipping addresses to choose from.

Plus, it’s important to understand that unless you’re a fraud prevention expert, fraudsters will often be three steps ahead of you. So, adding their transaction details to a deny list and blocking their transactions will only cause them to use a different combination of credit card and shipping address details.

Is There Ever a Good Reason to Use Deny List?

In some unique situations, a deny list may make sense. Usually, those situations have nothing to do with fraud or are peripherally related. But there are times when preventing customers from making transactions is needed.

Blocking these customers makes sense, but we recommend being very judicious with deny list and considering a more comprehensive approach to fraud prevention.

Are Your Fraud Prevention Deny Lists Helping?

If you have been using fraud prevention deny lists, here’s how to determine if your deny list is helping or hurting:

·       Look at Your False Decline Rate

If your deny list is working, your false decline rate should be low. If you are experiencing a high rate of false declines and social media complaints and blocked transactions, your first place to look should be your deny list.

·       Check The Last Update Date For Your Deny List

If the last time you updated your fraud prevention deny list was more than two months ago and you include IP addresses, make sure to create a process for evaluating and updating your list. And most importantly, track why each entry is on the list. During each evaluation, see if that rationale is still relevant – you may have new information that can change things considerably.

Ultimately, fraud prevention deny lists should be handled gingerly. To truly fight fraud, you’ll need a more strategic approach.

The Best “Deny List” Is Fraud Prevention

Fraud prevention is not a one-size-fits-all activity. Not only do you need to stay up-to-date on fraud trends, locally and globally, you also need to have the experience and bandwidth to do a complete analysis using technology and manual reviews.

If you’re thinking, “That’s a full-time job in itself!” you’re right. And depending on your sales volume and industry, it may be several full-time jobs. The sophistication and power behind today’s fraud attacks won’t be stopped by in-house solutions unless you’ve got a dedicated team of experts to hand.

That’s where a fraud prevention partner comes in. An expert team that can analyze transactions, identity potential fraudulent patterns, and maintain a warning list for further examination will help you take fraud off your plate, so you can focus on sales and grow your business. At ClearSale, we can help you find alternatives to a fraud prevention blacklist and keep your online business protected.